Secure BootWritten on March 13, 2020 by Chad Warmenhoven
What is Secure Boot
To protect users' systems from malware attacks, many motherboard manufacturers implemented the Microsoft Secure Boot feature and allowed it to be enabled or disabled by the user. Secure Boot performs a 'legal loader check' during boot into the OS which means as your system boots it quickly checks every application, service, registry key, and driver for authenticity in an effort to identify malware or detect inconsistent OS files that would produce a boot failure.
The Windows OS boot flow can be classified into three parts:
- Pre Boot phase
- Boot Loader phase
- Kernel Initialization phase
Based on the platform BIOS settings, the windows boot flow can be classified as follows:
- Traditional/Legacy Boot flow
- Modern/UEFI Boot flow
Legacy and its flaws
In traditional/legacy boot flow – as the system is powered On
- Firmware conducts a Power On Self-Test – a diagnostic testing sequence to check the components of the system and detect if the system can continue to the next stage. If OK, firmware initializes the hardware components.
- Firmware next reads the boot information from CMOS to invoke the Windows Boot Manager, which reads the Boot Configuration Data to invoke the Windows Boot Loader, which in turn loads the OS kernel to the RAM and the Kernel takes over from here.
Prior to Windows 10, it was post Kernel initialization when Windows Defender service used to start – the native anti-malware shipped with Windows OS.
Thus in the traditional or legacy boot flow, there is no security measure implemented at any stage to check against corrupt or malicious code (rootkits/bootkits) and stop them from getting executed during the boot flow.
As such, boot parameters can be easily modified to run malicious code during the boot flow which can result the system to boot to an unstable state or compromise run-time security. This is a serious threat if we consider the potential for impacts in environments that depend on their system to maintain their workflow.
Windows 10 Saves the Day
With Windows 10, Microsoft introduced a number of security features built into the OS to deal with the above and protect the Windows boot flow.
- Windows Trusted Boot
- Early Launch Anti-Malware driver
- Windows Measured Boot (TPM dependency)
- Device Guard
- Credential Guard
- Widows Defender Application Guard
7. But the feature which forms the foundation for a secure Windows platform is Secure Boot – the focus of this article.
Windows 10 UEFI Secure Boot helps to secure the Windows pre-boot phase mitigating the risks against rootkits and bootkits.
For a UEFI system, as its starts, it first verifies if the firmware is digitally signed, thereby reducing the risk of firmware rootkits. If Secure Boot is enabled in UEFI, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified and it is trusted to be executed.
Let’s go through the same boot flow again, but this time with Secure Boot feature enabled in UEFI.
- Pre Boot phase: As a device is powered on, Core Root of Trust Management (usually implemented in the CPU, the first code block that gets executed when a device is powered on and is implicitly trusted to form the Root of Trust) checks signature of the UEFI boot loader provided by SoC (System on Chip) vendor and triggers it.
- Boot Loader phase: The UEFI Boot Loader verifies the signature of UEFI Firmware Image before loading it.
- Kernal Initialization phase: The UEFI Firmware then verifies the signatures of the UEFI drivers and OEM UEFI applications before initializing them. The firmware then verifies the signature of Windows Boot Manager (bootmgfw.efi) located at EFIMicrosoftBoot on the EFI System Partition and triggers it.
In the event that UEFI finds a problem with the Windows Boot Manager (bootmgfw.efi), it will replace the same with a backup copy and attempt to continue with the boot process. In case if this also fails, the UEFI firmware initiates OEM specified remediation. In our builds that means the recovery partition loads offering system reset.
If no problem with Windows Boot Manager is identified, bootmgfw.efi reads the Boot Configuration Data (bcd) located at EFIMicrosoftBootBCD on the EFI System Partition to locate the OS Bootloader (winload.efi) which is usually located at %SystemRoot%System32
The Deal with Linux
There are a few issues to consider when using Linux, such as boot mode matching and boot loader configuration. Secure boot primarily effects the way a system boots into the OS and if you have multiple OS (dual boot) then secure boot has even more relevance. Check this out for more details
Secure Boot does not adversely or positively effect performance as some have theorized. There is no evidence that performance is adjusted in the slightest bit.